b'DOE/IG-0531\n\n\n\n\n  INSPECTION                          INSPECTION OF\n    REPORT                     CYBER SECURITY STANDARDS\n                                 FOR SENSITIVE PERSONAL\n                                       INFORMATION\n\n\n\n\n                                    NOVEMBER 2001\n\n\n\n\n  U.S. DEPARTMENT OF ENERGY\n OFFICE OF INSPECTOR GENERAL\n     OFFICE OF INSPECTIONS\n\x0c                             . DEPARTMENT OF ENERGY\n                           OFFICE OF INSPECTOR GENERAL\n\n                             U.S. DEPARTMENT OF ENERGY\n                                   Washington, DC 20585\n\n                                      November 13, 2001\n\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:         Gregory H. Friedman /s/\n              Inspector General\n\nSUBJECT:      INFORMATION: Report on \xe2\x80\x9cInspection of Cyber Security Standards for\n              Sensitive Personal Information\xe2\x80\x9d\n\nBACKGROUND\n\nThe Office of Inspector General (OIG), U.S. Department of Energy (DOE), identified a concern\nrelating to the cyber security of unclassified sensitive personal information maintained by the\nDepartment under the Privacy Act of 1974, and other personal information exempt from\ndisclosure under the Freedom of Information Act (Privacy Act/FOIA personal information).\nSpecifically, the concern related to possible compromise of this type of information on or over\nDOE Headquarters and field site computer networks.\n\nRESULTS OF INSPECTION\n\nThe OIG concluded that the Department does not always meet the requirements of the Privacy\nAct of 1974, the Freedom of Information Act, or the Computer Security Act of 1987 because the\nDepartment: 1) does not have a Department-wide baseline criteria for protecting Privacy\nAct/FOIA personal information; 2) does not group Privacy Act/FOIA personal information with\nother unclassified sensitive information for protection; and 3) allows individual sites and\nprogram offices to develop differing security measures for protection of Privacy Act/FOIA\npersonal information.\n\nWe recommended that the Administrator, National Nuclear Security Administration and the\nChief Information Officer, in conjunction with the Director, Freedom of Information and Privacy\nActs Division evaluate the need for additional policy or direction regarding Department-wide\nsecurity requirements to protect Privacy Act/FOIA personal information maintained on, or\ntransmitted to and from, Department computer systems connected to the Internet, Intranet (e.g.,\nDOEnet), or e-mail.\n\x0cMANAGEMENT REACTION\n\nThe OIG received two sets of comments. One set was from the Director, Freedom of Information\nand Privacy Acts Division, and the second set represented the combined comments of the Acting\nChief Information Officer (Acting CIO) and the Associate Administrator for Management and\nAdministration, National Nuclear Security Administration. Management concurred with the\nrecommendation.\n\nThe Director, Freedom of Information and Privacy Acts Division, stated that several actions will\nbe initiated to protect Privacy Act/FOIA personal information. These actions include action by\nthe Office of Management, Budget and Evaluation, (formerly the Office of Management and\nAdministration), and the Chief Financial Officer, to install a Secure Socket Layer, which\nprovides additional protection and confidentiality, for all servers maintaining personal\ninformation under their purview.\n\nThe Acting CIO and Associate Administrator for Management and Administration disagreed that\nDepartment-wide baseline criteria was necessary for all DOE elements in order to protect\nPrivacy Act/FOIA personal information. However, they stated that the need for policy in this\narea will be a topic of discussion at the next Cyber Security Policy Working Group (PWG)\nmeeting scheduled for October 2001.\n\nThe PWG meeting was held on October 24, 2001. One topic of discussion at the meeting was\nthe development of a \xe2\x80\x9cDepartmental Unclassified Cyber Security Management Program\nManual.\xe2\x80\x9d The manual\xe2\x80\x99s objectives are to establish requirements for the unclassified cyber\nsecurity program, including the protection of all the Department\xe2\x80\x99s information resources. A draft\nof the manual will be discussed further at the next PWG meeting which is scheduled for January\n2002. The manual is expected to be completed in June 2002. We are hopeful that the manual\nwill include minimum cyber security measures for protecting Privacy Act/FOIA personal\ninformation.\n\nAttachment\n\ncc: Deputy Secretary\n    Administrator, National Nuclear Security Administration\n    Acting Chief Information Officer\n    Director, Freedom of Information and Privacy Acts Division\n    Director, Office of Management, Budget and Evaluation\n    Director, Office of Executive Secretariat\n\x0cINSPECTION OF CYBER SECURITY STANDARDS FOR\nSENSITIVE PERSONAL INFORMATION\n\nTABLE OF\nCONTENTS\n\n              Overview\n\n              Introduction and Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 1\n\n              Conclusion and Observations\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6           2\n\n              Details of Findings\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6              4\n\n              Cyber Space Protection for\n               Unclassified Sensitive Information..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6   4\n\n              The DOEnet and E-mail\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6.             5\n\n              Department Privacy Act/FOIA\n               Personal Information Oversight\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6         5\n\n              The Computer Security Act,\n               The Privacy Act, and FOIA\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 6\n\n              Department-wide Impact\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..             7\n\n              Department-wide Cyber Security\n               Risks/Threats\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                 8\n\n              Counterintelligence Concerns\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.          8\n\n              Criminal Issues\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                9\n\n              Recommendation..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6.. 10\n\n              Management Reaction\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 10\n\n              Inspector Response\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 13\n\n              Appendices\n\n              A. Scope and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 14\n\n              B. DOE Corporate Network\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 15\n\n              C. Applications on DOEnet\xe2\x80\xa6..\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 16\n\x0cOverview\nINTRODUCTION AND   The Office of Inspector General, U.S. Department of Energy\nOBJECTIVE          (DOE) identified a concern relating to the cyber security of\n                   unclassified sensitive personal information. This includes\n                   information within systems of records maintained by the\n                   Department under the Privacy Act of 1974 (Privacy Act), and other\n                   personal privacy-type information that may be exempt from\n                   disclosure under the Freedom of Information Act (FOIA).\n                   Specifically, the concern related to possible compromise of this\n                   type of information on or over DOE Headquarters and field site\n                   computer networks.\n\n                   The Department currently has 38 field sites networked by intranet\n                   via the Department\xe2\x80\x99s corporate computer network entitled\n                   \xe2\x80\x9cDOEnet\xe2\x80\x9d (see Appendix B). DOEnet \xe2\x80\x9cis a centrally managed,\n                   closed network, operated over Sprint\xe2\x80\x99s public communications\n                   paths, designed to carry business sensitive data to users throughout\n                   the DOE federal sites.\xe2\x80\x9d There are several DOE systems, referred\n                   to as applications, that use DOEnet or are accessed through the\n                   DOEnet. Examples include: the Corporate Human Resource\n                   Information System (CHRIS); Energy Time and Attendance; the\n                   DOEInfo database system; the Primary Organizational Web-Based\n                   Employee Records; and Travel Manager, which interfaces with the\n                   Departmental Integrated Standardized Core Accounting System. A\n                   complete listing of DOEnet applications, not all of which contain\n                   personal information, is at Appendix C.\n\n                   One DOE system, the DOEInfo database system, is a repository of\n                   substantial information relating to the DOE Federal workforce.\n                   This database contains unclassified sensitive personal information\n                   that may be subject to the Privacy Act and other personal\n                   information that may be exempt from disclosure under the FOIA\n                   (to be referred to as Privacy Act/FOIA personal information). This\n                   information includes employee personal information; payroll;\n                   salary and benefits; manpower (FTE) data; Social Security\n                   numbers; and employee locator information.\n\n                   There are three ways to access the DOEInfo database: through the\n                   Internet, through the DOEnet intranet, or by a hardwire to the\n                   mainframe computer. DOEInfo is encrypted if it is accessed via\n                   the Internet. However, DOEInfo is unencrypted as it is housed on\n                   its server connected to DOEnet and is unencrypted when accessed\n                   via the DOEnet. This is because DOEnet is often considered to be\n                   a private network although it is operated over the Sprint network.\n                   Additionally, e-mail that is routed daily throughout the Department\n                   may contain Privacy Act/FOIA personal information.\n                   Unencrypted e-mails sent over the DOEnet are not secure.\n\n\n\nPage 1                                                                     Overview\n\x0c                               The objective of this inspection, therefore, was to determine\n                               whether the Department\xe2\x80\x99s cyber security program meets the\n                               requirements of the Privacy Act of 1974, the Freedom of\n                               Information Act, and the Computer Security Act of 1987, to\n                               adequately protect Department employees\xe2\x80\x99 Privacy Act/FOIA\n                               personal information from the risks associated with unauthorized\n                               disclosure.\n\nCONCLUSION AND                 We concluded that the Department does not always meet the\nOBSERVATIONS                   requirements prohibiting unauthorized disclosure of Privacy\n                               Act/FOIA personal information addressed in the Privacy Act of\n                               1974, the Freedom of Information Act, and the Computer Security\n                               Act of 1987. The Department: 1) does not have Department-wide\n                               baseline criteria for protecting Privacy Act/FOIA personal\n                               information; 2) does not group Privacy Act/FOIA personal\n                               information with other unclassified sensitive information for\n                               protection; and 3) allows individual sites and program offices to\n                               develop differing security measures for protection of Privacy\n                               Act/FOIA personal information. The Privacy Act of 1974 provides\n                               controls on maintenance of information in a Privacy Act system of\n                               records, the Freedom of Information Act provides exemptions\n                               from disclosure, and the Computer Security Act provides that this\n                               type of data be treated, and protected, in the same manner as\n                               national interest information.\n\n                               Guidelines for the Privacy Act/FOIA personal information for the\n                               Department is managed by two offices - the Freedom of\n                               Information Act/Privacy Act Office, under the purview of the\n                               Office of Management and Administration; and the Office of the\n                               Chief Information Officer (CIO), under the purview of the Office\n                               of Security and Emergency Operations. 1 Although the CIO\n                               recently purchased 20,000 Public Key Infrastructure (PKI) licenses\n                               with encryption capability, there is no DOE requirement that the\n                               PKI be used as a security measure for e-mail and file data transfers\n                               by DOE employees. At present, the Department, which includes\n                               the National Nuclear Security Administration, does not have\n                               Department-wide uniform controls, such as encryption, to protect\n                               Privacy Act/FOIA personal information. As a result, the\n                               Department has no baseline cyber security requirement to ensure\n                               adequate security of Privacy Act/FOIA personal information.\n                               Instead, the Department\xe2\x80\x99s current policy allows each DOE site to\n                               determine the risk associated with the loss of Privacy Act/FOIA\n                               personal information when implementing cyber security. Each\n\n    1 Effective October 1, 2001, the Offices of Management and Administration and the Chief Financial\n\nOfficer were merged and renamed the Office of Management, Budget and Evaluation. Additionally, the\nChief Information Officer became a separate office reporting to the Office of the Secretary.\n\n\nPage 2                                                                                    Overview\n\x0c                                DOE site, therefore, may have differing security measures for\n                                Privacy Act/FOIA personal information though that type of\n                                information is the same throughout the Department. 2\n\n                                From a security standpoint, each site prepares against what the site\n                                determines to be a security threat. That site may not determine that\n                                the risk for loss of Privacy Act/FOIA personal information to be as\n                                high a security threat as another site, but threats to Privacy\n                                Act/FOIA personal information is not site-specific. The risk to\n                                Privacy Act/FOIA personal information is the same throughout the\n                                Department as long as it is on the DOEnet.\n\n                                We concluded there should be a baseline policy throughout the\n                                Department concerning the protection of Privacy Act/FOIA\n                                personal information to protect DOE employees and guard against\n                                the risk of compromise of their personal information. These risks\n                                include identity theft and intelligence targeting; and the risk of\n                                potential litigation against the Department if the Department is\n                                remiss in its responsibility to protect Privacy Act/FOIA personal\n                                information.\n\n\n\n\n    2The focus of this review was on Department-wide policy and, therefore, this inspection did not\nevaluate the cyber security measures taken at individual sites.\n\n\nPage 3                                                                                      Overview\n\x0cDetails of Findings\nCyber Space                   DOE Notice DOE N 205.1, \xe2\x80\x9cUnclassified Cyber Security\nProtection for                Program,\xe2\x80\x9d3 initiated by the Office of the Chief Information Officer,\nUnclassified                  establishes the framework for the Department\xe2\x80\x99s Unclassified Cyber\nSensitive                     Security Program.\nInformation\n                              DOE N 205.1 directs each Departmental organization to develop\n                              an individual Cyber Security Program Plan for protecting DOE\n                              information and information systems. The Cyber Security Plan is\n                              based on an organization\xe2\x80\x99s risk assessment of its environment,\n                              mission, and possible threats weighed against the harm incurred if\n                              information is lost, misused, disclosed, or modified without\n                              authorization. An objective of DOE N 205.1 is \xe2\x80\x9cTo ensure that the\n                              DOE Unclassified Cyber Security Program achieves the objectives\n                              of Federal and State regulations, Executive Orders, national\n                              security directives, and other regulations.\xe2\x80\x9d\n\n                              DOE N 205.1 states that Privacy Act/FOIA personal information,\n                              along with Unclassified Controlled Nuclear Information, Naval\n                              Nuclear Propulsion Information, and Export Controlled\n                              Information, may require additional performance measures when a\n                              DOE site or program office develops its Cyber Security Program\n                              Plan. According to an official from the Office of the Chief\n                              Information Officer, DOE N 205.1 identifies two categories of\n                              unclassified sensitive information. In the first category, the\n                              Department \xe2\x80\x9cowners\xe2\x80\x9d of Unclassified Controlled Nuclear\n                              Information, Export Controlled Information, and Naval Nuclear\n                              Propulsion Information, have provided policy on how these types\n                              of unclassified sensitive information are to be managed throughout\n                              the Department. Therefore, when a DOE site or program office is\n                              developing its specific Cyber Security Program Plan, that site or\n                              program office must include the security requirements of Federal\n                              and state regulations, Executive Orders, national security\n                              directives, and also Department \xe2\x80\x9cowner\xe2\x80\x9d regulations. For\n                              example, the Department \xe2\x80\x9cowner\xe2\x80\x9d of Unclassified Controlled\n                              Nuclear Information requires encryption if the information is being\n                              transmitted over a public communications path.\n\n                              The second category identified in DOE N 205.1, includes Privacy\n                              Act unclassified sensitive information. The Notice does not\n                              require a Department-wide standard for all sites when protecting\n                              Privacy Act/FOIA personal information. Each DOE element can\n                              tailor its own protection mechanisms.\n\n\n   3 The CIO has recently issued for comment Draft DOE O 205.1, \xe2\x80\x9cDepartmental Cyber Security\n\nManagement Program.\xe2\x80\x9d The Draft Order does not provide any additional security measures specific to\nPrivacy Act/FOIA.\n\n\nPage 4                                                                         Details of Findings\n\x0cThe DOEnet              In addition to the concern that site-specific Cyber Security\nand E-mail              Program Plans may not be adequately protecting Privacy\n                        Act/FOIA personal information, there is a risk of compromise for\n                        Privacy Act/FOIA personal information accessible via DOEnet\n                        applications and used in e-mails. DOEnet is a private network run\n                        on a public communications path. DOEnet officials told us that the\n                        application owner is responsible for applying appropriate security\n                        measures. Several application owners include Privacy Act/FOIA\n                        personal information in the data connected to or transmitted over\n                        DOEnet. Some application owners have applied encryption to the\n                        data when it is accessed via the Internet, but other owners have not.\n\n                        DOE employee e-mails sometimes contain personal information\n                        that may be subject to the Privacy Act/FOIA. According to a\n                        Headquarters information technology official, if e-mails are not\n                        encrypted then it is \xe2\x80\x9cbuyer beware.\xe2\x80\x9d In other words, the intended\n                        recipient may not be the only individual receiving the e-mail.\n                        According to a May 11, 2000, memorandum, from the then CIO,\n                        \xe2\x80\x9cAll should be aware that information sent over the Internet or as\n                        attachments to electronic mail can be monitored, recorded, and\n                        accessed by the general public.\xe2\x80\x9d\n\nDepartment Privacy      There are two \xe2\x80\x9cowners\xe2\x80\x9d providing policy on Privacy Act/FOIA\nAct/FOIA Personal       personal information. \xe2\x80\x9cOwners\xe2\x80\x9d are the system managers, or\nInformation Oversight   custodians, of data for the Department\xe2\x80\x99s system of records. The\n                        first \xe2\x80\x9cowner\xe2\x80\x9d is the Freedom of Information Act/Privacy Act\n                        Office, Office of the Executive Secretariat, Office of Management\n                        and Administration, which is responsible for administering\n                        policies, programs, and procedures for management of Privacy\n                        Act/FOIA personal information throughout the Department.\n                        However, under the Office of Management and Budget Circular\n                        A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d the\n                        second \xe2\x80\x9cowner\xe2\x80\x9d is the Office of the Chief Information Officer,\n                        Office of Security and Emergency Operations, which is assigned\n                        authority over Privacy Act/FOIA personal information.\n\n                        We determined that the \xe2\x80\x9cowners\xe2\x80\x9d have not provided adequate\n                        protection requirements throughout the Department because the\n                        Freedom of Information Act/Privacy Act Office and the Office of\n                        the Chief Information Officer have not required a baseline\n                        Department-wide standard for all sites. A baseline standard would\n                        assist the Department in protecting its Privacy Act System of\n                        Records from unauthorized disclosure and protection in the same\n                        manner as national interest information.\n\n\n\n\nPage 5                                                                  Details of Findings\n\x0cThe Computer       As indicated above, DOE N 205.1 treats Privacy Act unclassified\nSecurity Act,      sensitive information (Privacy Act/FOIA personal information)\nThe Privacy Act,   differently than Unclassified Controlled Nuclear Information,\nand FOIA           Naval Nuclear Propulsion Information, and Export Controlled\n                   Information. We determined that this may be inconsistent with the\n                   intent of the Computer Security Act of 1987 (Public Law 100-\n                   235), which treats Privacy Act information in the same way as\n                   national interest information, such as Unclassified Controlled\n                   Nuclear Information, Naval Nuclear Propulsion Information, and\n                   Export Controlled Information. Specifically, the Computer\n                   Security Act of 1987 defines sensitive information to include any\n                   information that \xe2\x80\x9cthe loss, misuse, or unauthorized access to or\n                   modification of which could adversely affect the national interest\n                   or the conduct of Federal programs, or the privacy to which\n                   individuals are entitled under section 552a of title 5, United States\n                   Code (the Privacy Act).\xe2\x80\x9d In addition, for information maintained\n                   in a system of records, the Department is required by the Privacy\n                   Act to:\n\n                          . . . establish appropriate administrative, technical,\n                          and physical safeguards to insure the security and\n                          confidentiality of records and to protect against any\n                          anticipated threats or hazards to their security or\n                          integrity which could result in substantial harm,\n                          embarrassment, inconvenience, or unfairness to any\n                          individual on whom information is maintained.\n\n                   Also, according to FOIA, information exempted from disclosure\n                   contains \xe2\x80\x9cpersonnel . . . and similar files the disclosure of which\n                   would constitute a clearly unwarranted invasion of personal\n                   privacy.\xe2\x80\x9d\n\n                   Appendix III to Office of Management and Budget (OMB)\n                   Circular No. A-130, \xe2\x80\x9cSecurity of Federal Automated Information\n                   Resources,\xe2\x80\x9d establishes minimum controls to be included in\n                   Federal automated information security programs and incorporates\n                   requirements of the Computer Security Act of 1987 and\n                   responsibilities assigned in applicable national security directives.\n                   Appendix IV to OMB Circular No. A-130, \xe2\x80\x9cAnalysis of Key\n                   Sections,\xe2\x80\x9d section 3., \xe2\x80\x9cAnalysis,\xe2\x80\x9d requires agencies to provide\n                   appropriate protection to government information; assess the risks\n                   associated with maintenance and use; and meet the requirements of\n                   the Privacy Act of 1974 and the Computer Security Act of 1987.\n\n                   We determined that the Department does not always meet the\n                   requirements prohibiting unauthorized disclosure of Privacy\n\n\n\nPage 6                                                             Details of Findings\n\x0c                  Act/FOIA personal information addressed in the Privacy Act of\n                  1974, the Freedom of Information Act, and the Computer Security\n                  Act of 1987. The Department: 1) does not have Department-wide\n                  baseline criteria for protecting Privacy Act/FOIA personal\n                  information; 2) does not group Privacy Act/FOIA personal\n                  information with other unclassified sensitive information for\n                  protection; and 3) allows individual sites and program offices to\n                  develop differing security measures for protection of Privacy\n                  Act/FOIA personal information.\n\n                  The Department\xe2\x80\x99s failure to ensure security and confidentiality of\n                  personal information against threats that can be anticipated is\n                  contrary to its own DOE N 205.1 which, as previously cited,\n                  requires the DOE Unclassified Cyber Security Program to achieve\n                  the objectives of Federal law. Additionally, by not meeting the\n                  requirements of the Privacy Act of 1974, the Freedom of\n                  Information Act, or the Computer Security Act of 1987: 1) there is\n                  the potential for litigation against the Department due to\n                  inadequate cyber security; and 2) there is the risk that the\n                  Department\xe2\x80\x99s employees may be subject to identity theft and\n                  intelligence targeting.\n\n                  The benefit of a baseline cyber security requirement is not only for\n                  the individual stationed at any site, but for the Department in\n                  meeting the requirements of the Privacy Act of 1974, the Freedom\n                  of Information Act, and the Computer Security Act of 1987.\n\nDepartment-wide   A Department-wide policy on protection of PA/FOIA personal\nImpact            information would not only aid the Department in protecting\n                  against security threats and liability, but would assist with\n                  protecting employees from potential risks. In spite of the Privacy\n                  Act of 1974, the Freedom of Information Act, and the Computer\n                  Security Act of 1987, the Department has chosen to allow each\n                  \xe2\x80\x9cDepartmental organization\xe2\x80\x9d to develop an individual Cyber\n                  Security Program Plan for protecting information and information\n                  systems at its site. However, it is the Department\xe2\x80\x99s responsibility\n                  to protect all its employees, not just those at sites with better cyber\n                  security measures. Although there are no absolutes in security,\n                  having a baseline security policy for Privacy Act/FOIA personal\n                  information is one step closer to ensuring that there will be\n                  minimum loss, misuse, or unauthorized access to or modification\n                  of the privacy to which individuals are entitled under section 552a\n                  of title 5.\n\n                  The following sections highlight the potential risks of identity theft\n                  and intelligence targeting through increased cyber security attacks,\n\n\n\nPage 7                                                              Details of Findings\n\x0c                      and the need for standard security measures throughout the\n                      Department.\n\nDepartment-wide       The Computer Incident Advisory Capability (CIAC), an element of\nCyber Security        the Computer Security Technology Center at Lawrence Livermore\nRisks/Threats         National Laboratory was established in 1989 to serve the DOE\n                      community. CIAC is recognized nationally and internationally and\n                      is a founding member of the \xe2\x80\x9cForum of Incident Response and\n                      Security Teams,\xe2\x80\x9d a \xe2\x80\x9cglobal organization established to foster\n                      cooperation and coordination among computer security teams\n                      worldwide.\xe2\x80\x9d The CIAC provides statistical data on the number of\n                      cyber security incidents throughout the DOE community. CIAC\xe2\x80\x99s\n                      Fiscal Year (FY) 1999 Annual Report to the Department identified\n                      that \xe2\x80\x9cThe number of incidents reported to CIAC for FY 1999\n                      increased to 231% of that of FY 1998.\xe2\x80\x9d The report attributes these\n                      incidents to several factors including an \xe2\x80\x9cIncreased population of\n                      potential hackers because of the growth of the Internet,\xe2\x80\x9d and \xe2\x80\x9cThe\n                      continuing rise in reconnaissance activities [by adversaries]\n                      including scans and probes.\xe2\x80\x9d\n\n                      CIAC defines a security incident on a computer system as \xe2\x80\x9cany\n                      adverse event in a computer system or network that threatens the\n                      security of the system or network, its data, or availability.\xe2\x80\x9d\n                      Incidents include \xe2\x80\x9cscanning, denial-of-service, attempted\n                      compromises, or actual compromises called intrusions.\xe2\x80\x9d\n\n                      Using a baseline of 103 DOE sites for their report, CIAC handled\n                      3,080 DOE incidents in FY 1999, compared to 1,335 for FY 1998.\n                      According to CIAC, there were 130 successful intrusions in\n                      FY 1999 as compared to 123 in FY 1998. Forty-six DOE sites\n                      reported at least one incident in FY 1999. There may be both\n                      counterintelligence and criminal concerns associated with access to\n                      Privacy Act/FOIA personal information. As discussed in a recent\n                      OIG audit report, \xe2\x80\x9cVirus Protection Strategies and Computer\n                      Incident Reporting,\xe2\x80\x9d DOE/OIG-0500, April 2001, the statistics\n                      presented above are based on a reporting rate of less than 50\n                      percent.\n\nCounterintelligence   According to the Department\xe2\x80\x99s Nonproliferation and National\nConcerns              Security Institute\xe2\x80\x99s \xe2\x80\x9cCounterintelligence Awareness Guide,\xe2\x80\x9d\n                      \xe2\x80\x9cForeign intelligence collectors are pursuing a broader range of\n                      targets, and it is relatively easy for them to establish contact with\n                      and assess Americans who have access to valuable classified,\n                      controlled or proprietary information.\xe2\x80\x9d Foreign intelligence\n                      operatives can target individuals for contact more easily if they\n                      know personal information such as an individual\xe2\x80\x99s social security\n\n\n\nPage 8                                                                 Details of Findings\n\x0c           number, birth date, home address, title, security clearance level, or\n           banking information.\n\n           Counterintelligence issues are addressed in DOE O 5670.3,\n           \xe2\x80\x9cCounterintelligence Program,\xe2\x80\x9d which emphasizes the importance\n           of protecting sensitive and proprietary data from foreign nationals\n           and sensitive countries. Counterintelligence concerns are raised by\n           scans and attacks from DOE sensitive countries. This is illustrated\n           for FY 1999 in the following chart.\n\n                                     Incidents by Sensitive Countries\n                                       (24% of all foreign incidents,\n                                          11.1% of all incidents)\n                                      Taiwan (16)   Ukraine (3)\n                                        (4.7%)        (0.9%)      Belarus (1)\n                                                                    (0.3%)\n\n\n                            Russia (72)\n                             (21.0%)\n\n\n\n                      Pakistan (3)\n                        (0.9%)                                                  China (186)\n                      Kazakhstan                                                 (54.2%)\n                       (1) (0.3%)\n\n                              Israel (47)\n                               (13.7%)\n                                      India (2)     Hong Kong\n                                       (0.6%)       (12) (3.5%)\n\n\n\n           According to CIAC, of the 3,080 incidents, 1,412 incidents had at\n           least one foreign source. \xe2\x80\x9cIn looking at the 1,412 incidents\n           involving apparent non-U.S. sources, 40 resulted in an actual\n           system compromise. All of the rest fall into the category of\n           attempts and reconnaissance\xe2\x80\x94scans and probes. These incidents\n           document that DOE systems are the targets of hackers and that the\n           compromise of Privacy Act/FOIA personal information cannot be\n           discounted.\n\n           In commenting on the statistics in the draft version of this report,\n           management pointed out that for fiscal year 2001, \xe2\x80\x9cintrusion and\n           web defacements has dropped by more than half while the number\n           of scans and probes has escalated by a factor of 10.\xe2\x80\x9d\n\nCriminal   Criminal issues are addressed, in part, by 18 USC \xc2\xa7 1030, \xe2\x80\x9cFraud\nIssues     and related activity in connection with computers,\xe2\x80\x9d and 18 USC\n           \xc2\xa7 1028, \xe2\x80\x9cFraud and related activity in connection with\n           identification documents and information,\xe2\x80\x9d also known as identity\n           theft. According to the U.S. Postal Inspection Service:\n\n\nPage 9                                                               Details of Findings\n\x0c                             Identity theft involves acquiring key pieces of\n                             someone\xe2\x80\x99s identifying information, such as name,\n                             address, date of birth, social security number and\n                             mother\xe2\x80\x99s maiden name, in order to impersonate\n                             them. This information enables the identity thief to\n                             commit numerous forms of fraud which include, but\n                             are not limited to, taking over the victim\xe2\x80\x99s financial\n                             accounts, opening new bank accounts, purchasing\n                             automobiles, applying for loans, credit cards and\n                             social security benefits, renting apartments, and\n                             establishing services with utility and phone\n                             companies.\n\n                      If, through connection or transmission over DOE computer\n                      networks, Privacy Act/FOIA personal information relating to\n                      specific individuals is compromised due to inconsistent approaches\n                      to security, identity theft could take place and result in substantial\n                      harm, embarrassment, inconvenience, or unfairness to the affected\n                      individual employee, and potential litigation against the\n                      Department.\n\nRECOMMENDATION        We recommend that the Administrator, National Nuclear Security\n                      Administration, and the Chief Information Officer, in conjunction\n                      with the Director, Freedom of Information and Privacy Acts\n                      Division:\n\n                      Evaluate the need for additional policy or direction regarding a\n                      Department-wide security requirement to protect Privacy\n                      Act/FOIA personal information maintained on, or transmitted to\n                      and from, Department computer systems connected to the Internet,\n                      Intranet (e.g., DOEnet), or e-mail.\n\nMANAGEMENT            The OIG received two sets of comments. One set was from the\nREACTION              Director, Freedom of Information and Privacy Acts Division, and\n                      the second set represented the combined comments of the Acting\n                      Chief Information Officer (Acting CIO) and the Associate\n                      Administrator for Management and Administration, National\n                      Nuclear Security Administration (Associate Administrator).\n                      Management concurred with the recommendation.\n\nFOIA/Privacy Act      The Director, Freedom of Information and Privacy Acts Division\nDirector\xe2\x80\x99s Comments   stated that the following actions will be initiated:\n\n                             \xe2\x80\x9c1) Instructions will be issued to all Department\n                             FOIA Officers and Contacts to consult and\n                             coordinate with their information management\n\n\nPage 10                                                             Recommendation\n                                                                Management Reaction\n\x0c                         personnel to implement safeguards to protect\n                         personal information that is maintained, preserved\n                         and transmitted electronically from unauthorized\n                         access during electronic transmission.\n\n                         2) Systems of information will be reviewed to\n                         identify any other systems at the Department that\n                         may contain personal information and that should\n                         be protected from unauthorized access during\n                         electronic transmission.\n\n                         3) The Department\xe2\x80\x99s Compilation of System of\n                         Records Established Under the Privacy Act will be\n                         amended to identify the safeguards that have been\n                         established to protect personal information that is\n                         maintained subject to the Privacy Act from\n                         unauthorized access.\n\n                         4) Public Key Infrastructure Technology will be\n                         developed and implemented by the Office of\n                         Management [and] Administration (MA) in\n                         conjunction with the Office of the Chief\n                         Information Officer to safeguard all systems that\n                         maintain, preserve and transmit personal\n                         information electronically from unauthorized\n                         access.\xe2\x80\x9d\n\n                  The Director also stated he had been advised by the Office of\n                  Management, Budget and Evaluation that they have identified their\n                  systems containing personal information and will work with the\n                  Office of the Chief Information Officer to install a Secure Socket\n                  Layer for all their servers maintaining personal information. The\n                  Director went on to explain that a Secure Socket Layer provides\n                  additional protection and confidentiality for the personal\n                  information maintained on or transmitted from the servers.\n\nActing CIO\xe2\x80\x99s/     The Acting CIO and Associate Administrator stated that the CIO\nAssociate         published DOE Guideline 205.1-1, Cyber Security Architecture,\nAdministrator\xe2\x80\x99s   on March 8, 2001. The Guideline recommends Department-wide\nComments          baseline criteria for protecting all information, including personal\n                  information subject to the Privacy Act and FOIA. They also stated\n                  that the CIO is establishing a framework of objectives, guiding\n                  principles, and security activities and functions, applicable to the\n                  classified and unclassified environments, to govern consistent\n                  implementation of cyber security management and objectives of\n                  Federal and State regulations throughout the Department.\n\n\n\nPage 11                                                    Management Reaction\n\x0c          Despite these actions, the Acting CIO and Associate Administrator\n          disagreed with our conclusion that the Department does not always\n          meet the requirements of the Privacy Act, FOIA, or the Computer\n          Security Act because the Department: 1) does not have\n          Department-wide baseline criteria for protecting Privacy Act/FOIA\n          personal information; 2) does not group Privacy Act/FOIA\n          personal information with other unclassified sensitive information\n          for protection; and 3) allows individual sites and program offices\n          to develop differing security measures for protection of Privacy\n          Act/FOIA personal information.\n\n          The Acting CIO and Associate Administrator determined that\n          recommending a Department-wide baseline criteria for computer\n          system protection is sufficient guidance to system owners and that\n          system owners are expected to protect sensitive data using the\n          Department\xe2\x80\x99s recommended guidance. They stated that DOE\n          policy contains an objective to ensure the confidentiality, integrity,\n          availability, and accountability of information; and that\n          information resources must be protected commensurate with the\n          risks and threats of its environment. They also stated that an\n          agency is not restricted from establishing different security\n          measures across program lines.\n\n          The Acting CIO and Associate Administrator agreed that the\n          Department does not have Department-wide uniform controls, such\n          as encryption, to protect Privacy Act/FOIA personal information,\n          but noted that the Department does require each site to evaluate the\n          risks and threats to its information taking into consideration the\n          mission of each organization and the environment in which they\n          operate.\n\n          Finally, the Acting CIO and Associate Administrator said that at\n          the October 2001 Cyber Security Policy Working Group (PWG)\n          meeting they would discuss the need for additional policy or\n          direction regarding a Department-wide security requirement to\n          protect personal information. The PWG meeting was held on\n          October 24, 2001, and mentioned development of the\n          Departmental Unclassified Cyber Security Management Program\n          Manual. The manual\xe2\x80\x99s objectives are to establish requirements for\n          the unclassified cyber security program, including the protection of\n          all the Department\xe2\x80\x99s information resources. It is expected the\n          manual will be completed in June 2002. The next PWG meeting is\n          scheduled for January 2002.\n\n\n\n\nPage 12                                                Inspector Response\n\x0cOverview\nINSPECTOR   The comments provided by the Director, Freedom of Information\nRESPONSE    and Privacy Acts Division, were responsive to the\n            recommendation. Regarding comments from the Acting CIO and\n            Associate Administrator, we are encouraged that the Acting CIO is\n            establishing a framework of objectives, guiding principles, and\n            security activities and functions to govern consistent\n            implementation of cyber security management and objectives\n            throughout the Department. We are also encouraged that the\n            Cyber Security Policy Working Group discussed the need for\n            policy at their October 24, 2001, meeting. However, a\n            representative from the Freedom of Information and Privacy Acts\n            Division was not in attendance at the meeting. We recommend\n            that all parties responsible for protection of Privacy Act/FOIA\n            personal information be included in future meetings.\n\n            We continue to believe that guidance for Department-wide\n            baseline criteria is inadequate because Departmental guidance does\n            not require all DOE elements to take minimum cyber security\n            measures for protecting Privacy Act/FOIA personal information.\n            We agree with management that open science, on one hand, and\n            national defense, on the other hand, do not need the same level of\n            cyber security. However, the personal information concerning an\n            employee located at the Thomas Jefferson National Accelerator\n            Facility should have the same minimum protection as an employee\n            at the Y-12 National Security Complex. The cyber risk to these\n            employees is the same regardless of their office affiliation or\n            location.\n\n            Management\xe2\x80\x99s general comments have been incorporated into the\n            report where appropriate.\n\n\n\n\nPage 13                                                            Overview\n\x0cAppendix A\nSCOPE         The Office of Inspector General, U.S. Department of Energy,\n              identified a concern relating to the cyber security of unclassified\n              sensitive personal information maintained by the Department\n              under the Privacy Act of 1974 and other personal information\n              exempt from disclosure under the Freedom of Information Act.\n              The OIG announced this inspection in September 2000.\n\nMETHODOLOGY   In conducting this inspection, the OIG identified and reviewed\n              applicable Federal and DOE regulations. The OIG interviewed\n              DOE and contractor officials and employees as well as officials\n              from the Office of Management and Budget and the National\n              Institute of Standards and Technology, an agency of the U.S.\n              Department of Commerce\xe2\x80\x99s Technology Administration. The OIG\n              also reviewed key documents applicable to the inspection.\n\n\n\n\nPage 14                                                Scope and Methodology\n\x0cAppendix B\n\n\n\n\nPage 15      DOE Corporate Network\n\x0cAppendix C\n              Department of Energy Corporate Network (DOEnet)\nApplication Registry\nJune 2000\n\n\n\n\n                       Application                                         Acronym\n 1. Automated Transportation                                                ATMS\n 2. Management System\n\n 3. Business Management Information System for Financial                   BMIS-FM\n     Management\n 4. Corporate Human Resource Information System                            CHRIS\n 5. Departmental Integrated Standardized Core Accounting System            DISCAS\n 6. DOE Integrated Safeguards and Security System                           DISS\n 7. Electronic Commerce                                                    EC Web\n 8. Energy Time and Attendance                                              ETA\n 9. Executive Information System                                             EIS\n 10. Frequency Assignment Status                                          FASTAT\n 11. Management Analysis Reporting System (MARS)/Financial                MARS/FIS\n     Information System\n 12. Procurement and Assistance Data System                                 PADS\n 13. Primary Organizational Web-Based Employee Records                     POWER\n 14. Safeguards and Security Information Management System                  SSIMS\n 15. WIPP Waste Information System                                          WWIS\n\n\n\n\nPage 16                                                           Applications on DOEnet\n\x0c                                                                    IG Report No.: DOE/IG-0531\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer\n    Friendly and cost effective as possible. Therefore, this report will be available\n        Electronically through the Internet at the following alternative address:\n\n          U.S. Department of Energy Office of Inspector General Home Page\n                               http://www.ig.doe.gov\n\n           Your comments would be appreciated and can be provided on the\n                  Customer Response Form attached to the report.\n\x0c'